CVE-2022-4063

CRITICAL EXPLOITED NUCLEI

InPost Gallery <2.1.4.1 - Code Injection

Title source: llm

Description

The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.

Exploits (1)

nomisec WORKING POC 2 stars

by im-hanzou · remote

https://github.com/im-hanzou/INPGer

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress InPost Gallery <2.1.4.1 - Local File Inclusion

CRITICALVERIFIEDby theamanrawat

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7

Scores

CVSS v3 9.8

EPSS 0.8850

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-13

CWE

CWE-22

Status published

Products (1)

pluginus/inpost_gallery < 2.1.4.1

Published Dec 19, 2022

Tracked Since Feb 18, 2026